b'         AUDIT REPORT\n\n     REDACTED FOR PUBLIC RELEASE\n\n           Audit of NRC\xe2\x80\x99s Oversight of the\nAccess Authorization Program for Nuclear Power Plants\n\n\n         OIG-10-A-21     September 30, 2010\n\n\n\n\n All publicly available OIG reports are accessible through\n                     NRC\xe2\x80\x99s Web site at:\n http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                          September 30, 2010\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S OVERSIGHT OF THE ACCESS\n                            AUTHORIZATION PROGRAM FOR NUCLEAR POWER\n                            PLANTS (OIG-10-A-21)\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of NRC\xe2\x80\x99s\nOversight of the Access Authorization Program for Nuclear Power Plants.\n\nThe report presents the results of the subject audit. Agency comments provided at the\nAugust 25, 2010, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management\nAudits, at 415-5911.\n\nAttachment: As stated\n\x0c             Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\nBACKGROUND\n\n     The Nuclear Regulatory Commission (NRC) has promulgated regulations\n     requiring that its licensees implement an access authorization program to\n     provide high assurance that individuals who are granted unescorted\n     access and those individuals who maintain unescorted access to nuclear\n     power plants are trustworthy and reliable and do not constitute an\n     unreasonable risk to public health and safety, including the potential to\n     commit radiological sabotage.\n\n     NRC inspects licensee access authorization programs to verify that\n     licensees are implementing programs in accordance with NRC regulations\n     and the facilities\xe2\x80\x99 security plans. Regional security inspectors conduct\n     these inspections on a triennial cycle. Specifically, these inspectors look\n     to provide assurance that a licensee\xe2\x80\x99s access authorization program and\n     its implementation process and procedures ensure individuals granted\n     unescorted access are trustworthy and reliable.\n\n     OFFICIAL USE ONLY \xe2\x80\x93 PARAGRAPH HAS BEEN REDACTED FOR\n     PUBLIC RELEASE\n\n\n\n\n     Sharif Mobley was arrested and charged in Yemen as a suspected\n     member of al Qaeda in March 2010. Prior to his arrest, Mobley worked as\n     a general laborer at six nuclear power plants in the United States between\n     2002 and 2008. Mobley\xe2\x80\x99s arrest prompted congressional interest and in\n     early 2010, following Mobley\xe2\x80\x99s arrest, Senator Charles Schumer and\n\n\n\n\n                                        i\n\x0c        Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\nCongressman William Owens sent letters to NRC\xe2\x80\x99s Inspector General\nrequesting a thorough and comprehensive review of NRC\xe2\x80\x99s process\nrequirements for licensees granting unescorted access at nuclear power\nplants.\n\nIn light of the Sharif Mobley incident, NRC is evaluating the access\nauthorization process and NSIR\xe2\x80\x99s interface with the FBI\xe2\x80\x99s Terrorist\nScreening Center. NRC has made some initial enhancements to certain\naspects of the access authorization program.\n\n\n\n\nThe purpose of this audit was to determine the effectiveness of NRC\xe2\x80\x99s\noversight of nuclear power plant access authorization programs.\nAppendix A contains more information on the audit scope and\nmethodology.\n\n\n\n\nThis audit found that program performance could be enhanced by\nimplementing Office of the Inspector General (OIG) recommendations\nregarding:\n\n   Behavioral Observation Program training requirements.\n   PADS database access.\n   NRC\xe2\x80\x99s procedures for screening individuals granted unescorted\n   access.\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 PARAGRAPH HAS BEEN REDACTED FOR\nPUBLIC RELEASE\n\n\n\n\n                                   ii\n\x0c      Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 PAGE HAS BEEN REDACTED FOR PUBLIC\nRELEASE\n\n\n\n\n                                 iii\n\x0c        Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED FOR\nPUBLIC RELEASE\n\n\n\n\nThis report makes recommendations to improve the agency\xe2\x80\x99s oversight of\nthe access authorization program for nuclear power plants. A\nconsolidated list of these recommendations appears in Section V of this\nreport.\n\n\n\n\nAt an August 25, 2010, exit conference, agency senior managers\ngenerally agreed with the audit findings and recommendations and\nprovided editorial suggestions for OIG\xe2\x80\x99s consideration. This final report\nincorporates revisions made, where appropriate, as a result of the\nagency\xe2\x80\x99s suggestions.\n\n\n\n\n                                   iv\n\x0c       Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\nCFR          Code of Federal Regulations\n\nFBI          Federal Bureau of Investigation\n\nNRC          Nuclear Regulatory Commission\n\nNSIR         Office of Nuclear Security and Incident Response\n\nOIG          Office of the Inspector General\n\nPADS         Personnel Access Data System\n\nSSN          Social Security Number\n\n\n\n\n                                  v\n\x0c                   Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY ............................................................. i\n\n        ABBREVIATIONS AND ACRONYMS ......................................... v\n\n               I. BACKGROUND ............................................................. 1\n\n               II. PURPOSE .................................................................... 8\n\n               III. FINDINGS ..................................................................... 9\n\n                 A. BEHAVIORAL OBSERVATION PROGRAM\n                    TRAINING.................................................................... 10\n\n                 B. PADS DATABASE ACCESS .......................................... 15\n\n                 C. SCREENINGS PROCEDURES FOR INDIVIDUALS\n                    GRANTED UNESCORTED ACCESS ................................. 19\n\n        IV.    OBSERVATIONS ............................................................. 23\n\n        V.     CONSOLIDATED LIST OF RECOMMENDATIONS ......... 26\n\n        VI.    AGENCY COMMENTS ..................................................... 26\n\n    APPENDIX\n\n        A.     SCOPE AND METHODOLOGY ....................................... 27\n\n\n\n\n                                                 vi\n\x0c        Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\nI.   BACKGROUND\n\n          The Nuclear Regulatory Commission (NRC) has promulgated\n          regulations requiring that its licensees implement an access\n          authorization program to provide high assurance that individuals\n          who are granted unescorted access and those individuals who\n          maintain unescorted access to nuclear power plants are\n          trustworthy and reliable and do not constitute an unreasonable\n          risk to public health and safety, including the potential to commit\n          radiological sabotage. Following the terrorist attacks of\n          September 11, 2001, the Commission issued a series of\n          security orders to ensure that nuclear power plants continued to\n          have effective security measures in place given the changing\n          threat environment. Licensees revised their physical security\n          plans, access authorization programs, security officer training\n          and qualification plans, and safeguards contingency plans in\n          response to these orders.\n\n\n\n\n          Figure 1. Limerick Nuclear Power Plant\n          Source: NRC\n\n\n          Operating nuclear power plants need workers with unescorted\n          access during normal operations and scheduled outages (power\n          generation shutdowns) for required maintenance. Some\n\n\n\n\n                                          1\n\x0c              Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n                scheduled outages, such as refueling or steam generator\n                overhaul, are quite extensive and time consuming. During a\n                scheduled outage, a significant additional work force with\n                specific skills is required. This type of work cycle leads to a\n                continuous and ongoing need for temporary workers who must\n                have access to nuclear power plants. Many of these workers\n                move from one nuclear power plant, when the required work is\n                completed, to the next plant that is commencing its maintenance\n                outage.\n\n                Congressional Requests for Audit\n\n                Sharif Mobley was arrested and charged in Yemen as a\n                suspected member of al Qaeda in March 2010. Prior to his\n                arrest, Mobley worked as a general laborer at six1 nuclear\n                power plants in the United States between 2002 and 2008.\n                Mobley had unescorted access to these sites; however, he did\n                not have access to safeguards information2 or computer\n                systems. OFFICIAL USE ONLY \xe2\x80\x93 SENTENCE HAS BEEN\n                REDACTED FOR PUBLIC RELEASE Based on discussions\n                with affected licensees, NRC management stated that there was\n                no evidence to indicate that Mobley had been \xe2\x80\x9cradicalized\xe2\x80\x9d prior\n                to his most recent employment at Salem/Hope Creek.\n\n\n\n\n1\n Sharif Mobley primarily worked at Salem/Hope Creek [New Jersey] (76 weeks). He also\nworked at Three Mile Island [Pennsylvania] (2 weeks), Peach Bottom [Pennsylvania] (4\nweeks), Limerick [Pennsylvania] (4 weeks), and Calvert Cliffs [Maryland] (2 weeks). The\nSalem/Hope Creek power plants, although located next to each other, operate under\nseparate licenses.\n2\n  Safeguards information \xe2\x80\x93 An NRC categorization for information, which, if disclosed, could\nreasonably be expected to have a significant adverse effect on the health and safety of the\npublic and/or the common defense and security by significantly increasing the likelihood of\ntheft, diversion, or sabotage of materials or facilities subject to NRC jurisdiction.\n\n                                                2\n\x0c              Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n                Mobley\xe2\x80\x99s arrest prompted congressional interest and in early\n                2010, following Mobley\xe2\x80\x99s arrest, Senator Charles Schumer and\n                Congressman William Owens sent letters to NRC\xe2\x80\x99s Inspector\n                General requesting a thorough and comprehensive review of\n                NRC\xe2\x80\x99s process requirements for licensees granting unescorted\n                access at nuclear power plants.\n\n                Obtaining Unescorted Access\n\n                Unescorted access to a nuclear power plant allows an individual\n                access to protected areas.3\n\n\n\n\n                Figure 2. Nuclear Power Plant Security Zones\n                Source: Nuclear Energy Institute\n\n\n\n\n3\n  Areas within the protected area that house equipment important for nuclear safety are\ndesignated as vital areas. Access to a vital area is allowed only if an individual has been\nauthorized to be in that area. Licensees grant access to vital areas of the plant based on the\njob specific duties of each individual. Licensees are required to establish a current access\nauthorization list for all vital areas. The access list must be updated by the cognizant licensee\nmanager or supervisor at least every 31 days and must be reapproved at least quarterly. The\nlicensee must include on the access list only individuals whose specific duties require access\nto vital areas during non-emergency conditions.\n\n                                                3\n\x0c              Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n                Obtaining unescorted access requires that an individual\n                satisfactorily complete all NRC regulatory requirements\n                established in the access authorization program. The primary\n                requirements that individuals must satisfy when initially applying\n                for unescorted access and during periodic reinvestigations4\n                consist of the following:\n\n                    A background investigation that includes a verification of\n                    true identity, employment verification with a suitable inquiry\n                    (i.e., education in lieu of employment and military service as\n                    employment), a credit check, and character and reputation\n                    determination. Many licensees use specialized security\n                    screening companies (contractors) to conduct these\n                    background investigations, although the licensee is required\n                    to adjudicate the results.\n\n                    A criminal history check is used as an evaluative measure\n                    to assist in the determination of whether the individual has a\n                    record of criminal activity that may adversely affect his or her\n                    trustworthiness and reliability. Licensees are required to\n                    collect fingerprints from applicants and forward them to\n                    NRC\xe2\x80\x99s Division of Facilities and Security. The Division of\n                    Facilities and Security acts as a conduit and submits the\n                    fingerprints to the FBI to obtain the applicant\xe2\x80\x99s criminal\n                    history record information. The Division of Facilities and\n                    Security sends the FBI investigation results to the licensees,\n                    who use them in determining the trustworthiness and\n                    reliability of an individual.\n\n                    A psychological assessment that provides information to\n                    identify indications of disturbances in personality or\n                    psychopathology and to assist in evaluating the possible\n\n\n\n\n4\n  Most reinvestigations are required to be completed at intervals not to exceed 5 years,\nalthough reinvestigations for individuals classified as belonging to the \xe2\x80\x9ccritical group\xe2\x80\x9d are\nrequired to be completed at intervals not to exceed 3 years. Critical group individuals have\nextensive knowledge of defensive strategies and design and/or implementation of the plant\xe2\x80\x99s\ndefense strategies.\n                                                4\n\x0c                Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n                      adverse impact of any noted psychological characteristics on\n                      the individual\xe2\x80\x99s trustworthiness and reliability.\n\n                      Drug testing of all applicants for the use of illegal drugs\n                      occurs during the initial application process for unescorted\n                      access. Additionally, when a pre-access drug sample is\n                      collected, the individual is then placed in an approved\n                      random testing program that satisfies NRC requirements.\n\n                  Maintaining Unescorted Access\n\n                  Federal regulations5 require participating in a Behavioral\n                  Observation Program and a Fitness-for-Duty Program to\n                  maintain unescorted access. These programs are elements of\n                  a licensee\xe2\x80\x99s overall access authorization program that assist in\n                  the oversight and monitoring of individuals granted unescorted\n                  access. Behavioral Observation Program training educates\n                  staff to recognize and report behaviors adverse to the safe\n                  operations and security of the facility and/or aberrant behavior\n                  that might adversely affect an individual\xe2\x80\x99s trustworthiness or\n                  reliability. A Fitness-for-Duty Program\xe2\x80\x99s objective is to provide\n                  reasonable assurance that individuals are not under the\n                  influence of any substance that would adversely affect their\n                  ability to safely and competently perform their duties.\n\n\n\n\n5\n    Title 10, Code of Federal Regulations (CFR), Part 26 subparts b & c, and 10 CFR 73.56.\n\n                                                  5\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  Figure 3: Calvert Cliffs Nuclear Power Plant\n  Source: NRC\n\n\n  NRC\xe2\x80\x99s Role in Access Authorization\n\n  NRC inspects licensee access authorization programs to verify\n  that licensees are implementing programs in accordance with\n  NRC regulations and the facilities\xe2\x80\x99 security plans. Regional\n  security inspectors conduct these inspections on a triennial\n  cycle. Specifically, these inspectors look to provide assurance\n  that a licensee\xe2\x80\x99s access authorization program and its\n  implementation process and procedures ensure individuals\n  granted unescorted access are trustworthy and reliable. If there\n  are any inspection findings, inspectors also present these\n  findings to the licensee\'s management and conduct followup\n  inspections to ensure that the licensee has taken corrective\n  action.\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n                                  6\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 PAGE HAS BEEN REDACTED FOR\n  PUBLIC RELEASE\n\n\n\n\n                                  7\n\x0c         Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n           OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n           FOR PUBLIC RELEASE\n\n\n\n\nII.   PURPOSE\n\n           The purpose of this audit was to determine the effectiveness of\n           NRC\xe2\x80\x99s oversight of nuclear power plant access authorization\n           programs. Appendix A contains more information on the audit\n           scope and methodology.\n\n\n\n\n                                           8\n\x0c        Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\nIII. FINDINGS\n\n          NRC\xe2\x80\x99s access authorization requirements are intended to\n          provide high assurance that individuals granted unescorted\n          access to nuclear power plants are trustworthy and reliable and\n          do not constitute an unreasonable risk to public health and\n          safety, including the potential to commit radiological sabotage.\n          Reports that Sharif Mobley, a suspected member of al Qaeda,\n          worked at several nuclear power plants prompted congressional\n          requests for the Office of the Inspector General (OIG) to\n          conduct this audit. This audit found that program performance\n          could be enhanced by implementing OIG recommendations\n          regarding:\n\n              Behavioral Observation Program training requirements.\n\n              PADS database access.\n\n              NRC\xe2\x80\x99s procedures for screening individuals granted\n              unescorted access.\n\n\n\n\n          OFFICIAL USE ONLY \xe2\x80\x93 PARAGRAPH HAS BEEN\n          REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                          9\n\x0c    Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\nA. Behavioral Observation Program Training\n\n      One of the Behavioral Observation Program\xe2\x80\x99s stated objectives\n      is to detect and report behavior that may constitute an\n      unreasonable risk to the public health and safety, including a\n      potential threat to commit radiological sabotage. OFFICIAL\n      USE ONLY \xe2\x80\x93 SENTENCE HAS BEEN REDACTED FOR\n      PUBLIC RELEASE\n\n\n\n\n      Objective of the Behavioral Observation Program\n\n      One of the Behavioral Observation Program\xe2\x80\x99s objectives is to\n      detect and report behavior that may constitute an unreasonable\n      risk to public health and safety, including a potential threat to\n      commit radiological sabotage. OFFICIAL USE ONLY \xe2\x80\x93\n      SENTENCE HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n      Behavioral Observation Program training is mandatory for all\n      individuals who are designated for unescorted access or are\n      maintaining their unescorted access to a nuclear power plant.\n\n\n\n\n                                     10\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n  The training addresses the knowledge and abilities necessary to\n  detect behavior or activities that potentially constitute an\n  unreasonable risk and communicates the requirement to report\n  noticeable changes in behavior, activities, or fitness-for-duty\n  concerns about other individuals to management-designated\n  personnel. The training program includes an initial\n  comprehensive examination, annual refresher training, and an\n  annual supervisory review by the individual\xe2\x80\x99s immediate\n  supervisor.\n\n\n\n\n  Figure 5. Salem Nuclear Power Plant\n  Source: NRC\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n                                 11\n\x0c              Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n                OFFICIAL USE ONLY \xe2\x80\x93 SENTENCE HAS BEEN REDACTED\n                FOR PUBLIC RELEASE NRC regional security inspectors,\n                who routinely review licensee Behavioral Observation\n                Programs, stated that the essence of the program is to provide\n                personnel with unescorted access tools for how to recognize\n                other employees who are abusing substances. The following\n                table (Figure 4) illustrates some behaviors included, and not\n                included, in current Behavioral Observation Program training.\n\n        Training Includes Recognizing\n        and Reporting:\n\n Personal Health Behaviors\n\n        Drug and alcohol abuse\n        Sleepiness-yawning, tired eyes                      OFFICIAL USE ONLY \xe2\x80\x93\n        Increased irritability                              SECTION HAS BEEN\n        Shaky hands or twitching                            REDACTED FOR PUBLIC\n        Dizziness/Fainting                                  RELEASE\n\n\n\n Social Interaction Behavior\n\n        Temper outbursts\n        Refuses social contact\n        Overly suspicious of others\n\n\nFigure 4. Behavioral Observation Program training comparison\nSource: OIG generated\n\n\n\n\n                                               12\n\x0c    Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n      OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n      FOR PUBLIC RELEASE\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SENTENCE HAS BEEN REDACTED FOR\nPUBLIC RELEASE An internal industry investigation following the\nSharif Mobley incident uncovered that Mobley made statements to\nother employees that could be construed as suspicious. Specifically,\none licensee investigative report uncovered that during Mobley\xe2\x80\x99s\nemployment at a nuclear power plant, he stated, "We are brothers in\nthe union but if a Holy War comes, look out." Mobley also expressed\nhis belief that Islam is the only true faith and that non-Muslims are\ninfidels. Additionally, Mobley was observed with unusual Web sites on\nhis personal computer, including one with a picture of a mushroom\ncloud. Although an employee who knew Mobley since 2002 was\naware of this information, this information was only brought to light\nduring the course of the investigation. OFFICIAL USE ONLY \xe2\x80\x93\nSENTENCE HAS BEEN REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                     13\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  (Cont.) OFFICIAL USE ONLY \xe2\x80\x93 SENTENCE HAS BEEN\n  REDACTED FOR PUBLIC RELEASE\n\n\n  Recommendation\n\n  OIG recommends that the Executive Director for Operations:\n\n  1. OFFICIAL USE ONLY \xe2\x80\x93 RECOMMENDATION HAS BEEN\n     REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                 14\n\x0c    Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\nB. PADS Database Access\n\n\n\n\n      OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n      FOR PUBLIC RELEASE\n\n\n\n\n      Federal Control Standards\n\n      The Government Accountability Office\xe2\x80\x99s Standards for Internal\n      Control in the Federal Government prescribes internal control\n      standards for timeliness, accuracy, and validity of data. These\n      standards require that management ensure there are adequate\n      means for promptly recording transactions to maintain their\n      relevance and value to management in controlling operations\n      and making decisions.\n\n\n\n\n                                     15\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n  Figure 6. Hope Creek Nuclear Power Plant\n  Source: NRC\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n                                 16\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n  Reliance on Licensees\n\n  NRC regional inspectors request licensees to provide\n  information from PADS during inspections or on a case-by-case\n  basis if there is a need to query the database for a specific\n  person of interest. Commonly, inspectors will request\n  information by telephone or during nuclear power plant site\n  visits. Licensees then extract the data or run an inquiry in\n  PADS for the inspectors. One inspector reported that during\n  site visits, inspectors must physically look over someone\xe2\x80\x99s\n  shoulder while they retrieve the information from PADS for the\n  inspector to verify information presented by licensees. The\n  majority of inspectors interviewed suggested it would be\n  beneficial for NRC to have direct access to PADS.\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n                                 17\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n  Limited PADS access also restricts the inspectors\xe2\x80\x99 ability to\n  independently review and analyze PADS data for trends and\n  exceptions prior to actually inspecting the licensee. The validity\n  and/or completeness of licensee provided data is also an area\n  of concern.\n\n  Recommendation\n\n  OIG recommends that the Executive Director for Operations:\n\n  2. Obtain direct access to the Personnel Access Data System\n     (PADS) database.\n\n\n\n\n                                 18\n\x0c     Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\nC.   Screening Procedures for Individuals Granted Unescorted\n     Access\n\n\n\n\n       OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n       FOR PUBLIC RELEASE\n\n\n\n\n       Figure 7. Peach Bottom Nuclear Power Plant\n       Source: NRC\n\n\n       Internal Control Requirements\n\n       Control is any action taken by management to enhance the\n       likelihood of achieving established objectives and goals.\n       Control activities are the policies, procedures, techniques, and\n\n\n\n\n                                      19\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n  mechanisms that enforce management\xe2\x80\x99s directives. Federal\n  standards require that NRC maintain a system of internal\n  controls.\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n  Management Oversight\n\n  NRC planned to develop guidance describing the roles,\n  responsibilities, and expectations of the access authorization\n  program manager to achieve successful oversight of nuclear\n  power plant access authorization programs; however, no\n  formalized guidance exists.\n\n\n\n\n                                 20\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 PAGE HAS BEEN REDACTED FOR\n  PUBLIC RELEASE\n\n\n\n\n                                 21\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  OFFICIAL USE ONLY \xe2\x80\x93 SECTION HAS BEEN REDACTED\n  FOR PUBLIC RELEASE\n\n\n\n\n  Recommendation\n\n  OIG recommends that the Executive Director for Operations:\n\n  3. OFFICIAL USE ONLY \xe2\x80\x93 RECOMMENDATION HAS BEEN\n     REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                 22\n\x0c                 Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\nIV.       OBSERVATIONS\n\n                   Verification of True Identity\n\n                  NRC regulations6 require that licensees validate the social\n                  security number (SSN) that an individual provides prior to\n                  granting access to a nuclear power plant. Licensees accomplish\n                  SSN validations through background checks of employment\n                  history, credit history, and reference checks. OFFICIAL USE\n                  ONLY \xe2\x80\x93 SENTENCE HAS BEEN REDACTED FOR PUBLIC\n                  RELEASE\n\n\n\n\n                   Figure 9. Three Mile Island Nuclear Power Plant\n                   Source: NRC\n\n\n                  E-Verify is an Internet-based system, operated by the U.S.\n                  Citizenship and Immigration Services, designed to help\n                  employers determine employment eligibility of new hires and the\n                  validity of their SSNs.\n\n\n\n\n6\n    10 CFR 73.56(d)(3), Verification of True Identity.\n\n                                                  23\n\x0c             Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n               OFFICIAL USE ONLY \xe2\x80\x93 PARAGRAPH HAS BEEN\n               REDACTED FOR PUBLIC RELEASE\n\n\n\n\n               U.S. Citizenship and Immigration Services management stated\n               that under current law,7 use of the E-Verify database is\n               restricted to confirming employment eligibility, thereby\n               prohibiting NRC and licensees from gaining access to the\n               system for verifying the SSNs for all licensee contractor\n               employees.\n\n               Required Disclosure of Past Employment Information\n\n               Licensees are required to verify employment/unemployment\n               history prior to granting access to a nuclear power plant.\n               Background investigators are required to ask previous\n               employers questions regarding an employee\xe2\x80\x99s past\n               performance. The past performance questions primarily focus\n               on fitness-for-duty compliance and reason for termination. Both\n               industry and NRC staff stated that many previous employers\n               verify the dates of employment for an applicant, while refusing\n               to answer the past performance questions for fear of litigation.\n               When a licensee is unable to obtain past employment\n               performance information from a previous employer, the use of\n               \xe2\x80\x9cbest effort\xe2\x80\x9d is permitted. Best effort allows a licensee to use\n               employment information obtained from an acceptable alternate\n               or secondary source to determine trustworthiness and reliability.\n               An acceptable alternate source could be a co-worker or a\n               reference on a current application for unescorted access, while\n               an acceptable secondary source could be a pay stub or W-2\n               form. OFFICIAL USE ONLY \xe2\x80\x93 SENTENCE HAS BEEN\n               REDACTED FOR PUBLIC RELEASE\n\n7\n Illegal Immigration Reform and Immigrant Responsibility Act of 1996, Public Law 104\xe2\x80\x93208,\nSeptember 30, 1996.\n\n                                              24\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\n\n  Disclosure of Foreign Travel\n\n  Disclosure of foreign travel is not required on personal history\n  questionnaires used to assist in processing background\n  investigations of individuals seeking to obtain unescorted\n  access to nuclear power plants. Requiring disclosure of foreign\n  travel on personal history questionnaires was an idea conveyed\n  to OIG during interviews. OFFICIAL USE ONLY \xe2\x80\x93 SECTION\n  HAS BEEN REDACTED FOR PUBLIC\n\n\n\n\n                                 25\n\x0c         Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n\nV.    CONSOLIDATED LIST OF RECOMMENDATIONS\n\n           OIG recommends that the Executive Director for Operations:\n\n           1. OFFICIAL USE ONLY \xe2\x80\x93 RECOMMENDATION HAS BEEN\n              REDACTED FOR PUBLIC RELEASE\n\n           2. Obtain direct access to the Personnel Access Data System\n              (PADS) database.\n\n           3. OFFICIAL USE ONLY \xe2\x80\x93 RECOMMENDATION HAS BEEN\n              REDACTED FOR PUBLIC RELEASE\n\n\n\n\nVI.   AGENCY COMMENTS\n\n           At an August 25, 2010, exit conference, agency senior\n           managers generally agreed with the audit findings and\n           recommendations and provided editorial suggestions for OIG\xe2\x80\x99s\n           consideration. This final report incorporates revisions made,\n           where appropriate, as a result of the agency\xe2\x80\x99s suggestions.\n\n\n\n\n                                          26\n\x0c      Audit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n                                                                             Appendix A\n\n\nSCOPE AND METHODOLOGY\n\n        The audit objective was to determine the effectiveness of NRC\xe2\x80\x99s\n        oversight of nuclear power plant access authorization programs.\n\n        To achieve the audit objective, the audit team reviewed\n        pertinent laws, regulations, and agency guidance to identify\n        criteria relevant to managing nuclear power plant access\n        authorization programs. Guidance reviewed included:\n\n            Code of Federal Regulations, Title 10 Section 73.56,\n            Personnel access authorization requirements for nuclear\n            power plants, March 27, 2009.\n\n            Illegal Immigration Reform and Immigrant Responsibility Act\n            of 1996, Public Law 104\xe2\x80\x93208, September 30, 1996.\n\n            Nuclear Energy Institute procedure, Nuclear Power Plant\n            Access Authorization Program, NEI 03-01 (Revision 3), May\n            2009.\n\n            Nuclear Energy Institute procedure, Guideline for Plant\n            Access Training, NEI 03-04 (Revision 7), December 2009.\n\n            The 2006 Memorandum of Understanding between the\n            Terrorist Screening Center and NRC in support of terrorist\n            screening.\n\n            NRC Inspection Procedure 71130.01, Access Authorization,\n            April 1, 2010.\n\n        Auditors met with congressional staff to gain an understanding\n        of the requested scope for this audit. In addition to conducting\n        interviews with current and former NRC staff, auditors also\n        interviewed an Access Authorization Program Manager and a\n        background investigation contractor. Interviews with inspectors\n\n        from each of NRC\xe2\x80\x99s four regions were conducted. Auditors also\n        reviewed access authorization files and analyzed reports. This\n                               27\n\x0cAudit of NRC\xe2\x80\x99s Oversight of the Access Authorization Program for Nuclear Power Plants\n\n\n  work gained auditors an understanding of NRC\xe2\x80\x99s oversight of\n  nuclear power plant access authorization programs. Current\n  issues, problems, and known deficiencies were uncovered\n  because of this work.\n\n  This performance audit was conducted from April 2010 through\n  July 2010, in accordance with generally accepted Government\n  auditing standards. Those standards require that the audit is\n  planned and performed with the objective of obtaining sufficient,\n  appropriate evidence to provide a reasonable basis for any\n  findings and conclusions based on the stated audit objective.\n  OIG believes that the evidence obtained provides a reasonable\n  basis for the report findings and conclusions based on the audit\n  objective. Internal controls related to the audit objective were\n  reviewed and analyzed. Throughout the audit, auditors were\n  aware of the possibility or existence of fraud, waste, or misuse\n  in the program.\n\n  Beth Serepca, Team Leader; Robert Woodward, Audit\n  Manager; Andrea Ferkile, Senior Management Analyst; and\n  Michael Dickerson, Summer Intern, conducted this work. We\n  performed this audit work at NRC headquarters in Rockville,\n  MD; NRC Region I office in King of Prussia, PA; and Exelon\n  Power Headquarters in Kennett Square, PA.\n\n\n\n\n                                 28\n\x0c'